roykaandorp
Posts: 2
Joined: Wed Jun 13, 2018 7:18 pm

vpn bridge setup - no lan/internet (Solved)

Wed Jun 13, 2018 7:48 pm

Hello people , after bricking my router where my vpn server was installed to, I'm trying to install a vpn tap server to my rpi 3 that's running Raspbian stretch. I've tried different tutorials, but can't get it working. The problem is that I can connect to it but have no local and no internet acces. For some reason I get 2 tap interfaces, is that normal? When I only stop the "[email protected]" the tap1 is still there, after also stopping the openvpn.service, it's gone. I'm busy for 3 days in a row, but can't see what am I missing. Could someone please help me?

Here some information

Code: Select all

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether b8:27:eb:e2:dd:0e brd ff:ff:ff:ff:ff:ff
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether b8:27:eb:b7:88:5b brd ff:ff:ff:ff:ff:ff
9: tap0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN group default qlen 100
    link/ether 9e:76:c5:47:a3:3d brd ff:ff:ff:ff:ff:ff
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9e:76:c5:47:a3:3d brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.34/24 brd 192.168.2.255 scope global br0
       valid_lft forever preferred_lft forever
11: tap1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/ether f6:26:84:f7:50:35 brd ff:ff:ff:ff:ff:ff 

server.conf

Code: Select all

dev tap
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_M3PXrOrtGGybzWYJ.crt
key /etc/openvpn/easy-rsa/pki/private/server_M3PXrOrtGGybzWYJ.key
dh none
ecdh-curve secp384r1
server-bridge 192.168.2.34 255.255.255.0 192.168.2.90 192.168.2.100
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io 

ovpn file

Code: Select all

client
dev tap
proto udp
ip addr 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_M3PXrOrtGGybzWYJ name
cipher AES-256-CBC
auth SHA256
compress lz4
verb 3
<ca>
-----BEGIN CERTIFICATE-----
etc etc
openvpn-bridge

Code: Select all

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.2.34"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.2.255"
eth_gateway="192.168.2.254"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
    done

    sleep 10

    ifconfig $eth 0.0.0.0 promisc up

    sleep 5

    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    sleep 2

    route add default gw $eth_gateway
    ;;
stop)
    ifconfig $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    route add default gw $eth_gateway
    ;;
*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;
esac
exit 0

Last edited by roykaandorp on Thu Jun 14, 2018 11:27 pm, edited 1 time in total.

epoch1970
Posts: 2019
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: vpn bridge setup - no lan/internet

Thu Jun 14, 2018 9:21 pm

Your server config doesn't specify "dev tap0" so it creates a tap, tap1 since tap0 already exists.
Try "dev tap0" instead in openvpn conf.

That openvpn bridge script is a bit antiquated. On raspbian Stretch you would disable dhcpcd on the bridge members, and define the bridge in /etc/networking/interfaces
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

roykaandorp
Posts: 2
Joined: Wed Jun 13, 2018 7:18 pm

Re: vpn bridge setup - no lan/internet

Thu Jun 14, 2018 11:12 pm

epoch1970 wrote:
Thu Jun 14, 2018 9:21 pm
Your server config doesn't specify "dev tap0" so it creates a tap, tap1 since tap0 already exists.
Try "dev tap0" instead in openvpn conf.

That openvpn bridge script is a bit antiquated. On raspbian Stretch you would disable dhcpcd on the bridge members, and define the bridge in /etc/networking/interfaces
Thank you very much, stupid i didn't see that. I'm a bit further now, I can browse the internet via the vpn (checked the speed). But still no LAN acces.
Edit: I found the problem, I had to change in the server.conf file the line "server-bridge 192.168.2.254 255.255.255.0 192.168.2.90 192.168.2.100" now I filled in the gateway. And I had to route the client, 192.168.2.0/24 via 192.168.2.254. Thank you for the help.

Return to “Networking and servers”

Who is online

Users browsing this forum: No registered users and 13 guests